docs(kic): add upstream TLS verification guide

Kong · Dec 2, 2024 · 3928706 · 3928706
1 parent 6ba3469
commit 3928706
Show file tree

Hide file tree

Showing 6 changed files with 456 additions and 14 deletions.
diff --git a/.github/styles/kong/dictionary.txt b/.github/styles/kong/dictionary.txt
@@ -258,6 +258,7 @@ Github
 glibc
 globbing
 Gluu
+goecho
 gojira
 Golang
 Goroutine

diff --git a/app/_data/docs_nav_kic_3.4.x.yml b/app/_data/docs_nav_kic_3.4.x.yml
@@ -145,6 +145,8 @@ items:
             url: /guides/security/client-ip
           - text: Kubernetes Secrets in Plugins
             url: /guides/security/plugin-secrets
+          - text: Verifying Upstream TLS
+            url: /guides/security/verify-upstream-tls
       #- text: Service Mesh
       #  items:
       #    - text: Kong Mesh

diff --git a/app/_includes/md/kic/ca-certificates-note.md b/app/_includes/md/kic/ca-certificates-note.md
@@ -0,0 +1,13 @@
+{:.note}
+> CA certificates in Kong are provisioned by creating a `Secret` resource in Kubernetes. CA certificate secrets must
+> have the following properties:
+> - the `konghq.com/ca-cert: "true"` label applied.
+> - a`cert` data property which contains a valid CA certificate in PEM format.
+> - a `kubernetes.io/ingress.class` annotation whose value matches the value of the controller's `--ingress-class`
+    argument. By default, that value is `kong`.
+> - an `id` data property which contains a random UUID.
+>
+> Each CA certificate that you create needs a unique ID. Any random UUID should suffice here and it doesn't have a
+> security implication. You can use [uuidgen](https://linux.die.net/man/1/uuidgen) (Linux, OS X)
+> or [New-Guid](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-guid) (Windows) to
+> generate an ID.
-Original file line number
+Diff line change
@@ Expand Up / @@ -258,6 +258,7 @@ Github @@
     glibc
     globbing
     Gluu
+    goecho
     gojira
     Golang
     Goroutine
@@ Expand Down @@